f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe
Size

2.6MB
MD5

da7798983dc0e62359c27ba5902dbcc0
SHA1

d2986001ea13ba4379cb9cc20dab6eaab25c10f5
SHA256

f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704
SHA512

5b39a26a058710fd7147c46e4e821594671e1fe53cb78f7845c5bce5e38f8e901c263f2be88222d72d6b7a6bdd6bea759268f8b108c21f306c100070c333d4cb
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBCB/bS:sxX7QnxrloE5dpUpRb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe

Executes dropped EXE 2 IoCs

pid	Process
2268	locxdob.exe
1804	xoptiec.exe

Loads dropped DLL 2 IoCs

pid	Process
1520	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe
1520	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\UserDot2Y\\xoptiec.exe"	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\MintHS\\dobdevsys.exe"	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locxdob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xoptiec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1520	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe
1520	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe
2268	locxdob.exe
1804	xoptiec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2268	1520	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe	30
PID 1520 wrote to memory of 2268	1520	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe	30
PID 1520 wrote to memory of 2268	1520	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe	30
PID 1520 wrote to memory of 2268	1520	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe	30
PID 1520 wrote to memory of 1804	1520	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe	31
PID 1520 wrote to memory of 1804	1520	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe	31
PID 1520 wrote to memory of 1804	1520	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe	31
PID 1520 wrote to memory of 1804	1520	f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe	31

C:\Users\Admin\AppData\Local\Temp\f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe
"C:\Users\Admin\AppData\Local\Temp\f4357f89849183db34aa02b21e2d0cd91fe4f5aa5a6a8b2c9d596890dc897704N.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2268
- C:\UserDot2Y\xoptiec.exe
  C:\UserDot2Y\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MintHS\dobdevsys.exe

Filesize
2.6MB

MD5
dbb0a2a98d8dcd7a4c1aefa3acf270da

SHA1
3f1ac541a7c7e85a944dedbe9992c25e90a1daa0

SHA256
3d21730205943430b94c0d959f9686b4390ff1c57dc725ba1dac31e546d094e0

SHA512
1798b2d20e084bb6e6085a84b82b6a7edb79b93779f7b570db2a1b2f96b485d16ca875c79c16abba0b72aa7857cc51e1ea0b70907e80428a024c48e09bec25e9

Download Submit
C:\MintHS\dobdevsys.exe

Filesize
2.6MB

MD5
fa0e71c9a0f087e9f7ccecaafa7a9514

SHA1
cc708f909a4cb2ac3e115da782ce3473f427f034

SHA256
a70e49d89770f3ebc42d28ae9f637bd46a04cfcd9ee038b29f84e42d54f56c79

SHA512
78f41b2aa079ee0ff17155b48dcb22c113be39dd5248c480adcf60dbbe23b59eb16f7bf016f9c49d5724436fe62816e24d97f047bb07bc57c35a7f3b750f78ad

Download Submit
C:\UserDot2Y\xoptiec.exe

Filesize
2.6MB

MD5
b6e4dac01b1ca48056bf31876c80adef

SHA1
4280566b141528dee4bcf66ba3cf8de3f51a5d09

SHA256
26869e30ba6bdb09e84fe58173b3990b34a2045177697cca3e8dd1a196b69fc2

SHA512
ceb885ad08cda8ea6816d03095876ad40fc468950040c8060a84c214c35fa9d6dd8aa56b84cc7788da37446819e43a7b6ae51e84384fe02d70ddeaeece151b53

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
172B

MD5
2a982f3718e8728025e730afa1a4eb71

SHA1
76a48b3f5c0a7addfbbffb40e012186d6574d9e1

SHA256
700fcb65a18bb1c29e1048dc3160b5e8cc506c3bf362d6ff0ca2ea407ed133c0

SHA512
0bc0996dab0cdc4f0b98d837a56888039ec2288abc6365ff1b17024fcf27b1f440383454a9d6a0e20d69403375b1da8fa680995103e5ca5f3c1b71a5fa739c50

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
204B

MD5
df83548298b199db279916a19b14721f

SHA1
aa1177b476cc00b074a1566005a81dcf6c9a9e43

SHA256
bfed7bb8472631404c5180028244e4cc585ffbcc933d636a78c69afdc2ac7288

SHA512
140681b3320754c7ab81bd15b96932e16f686371e5118e707b22f67a6d6bc1912123285e533d5e4ee966d5fc9bf5637012a15424d5b20811a8c9950582aa6b6d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\locxdob.exe

Filesize
2.6MB

MD5
576f66ebd7285a56a43d008d24616567

SHA1
6f7f706576a2fef6422bda404dca759691537be0

SHA256
65fa76cbb69e3e9447e4685c0b8814432c2dfcf7c0525e8f70a863984a085292

SHA512
7d8bb2aadf1b503f780b5913d57343cdcf46df26924831fd5f5a228e077a18852308713336853c1921f1bf8112fbfb1ab8077f0b719fd6620b5b082d1033e9e5

Download Submit